<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=18" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <link rel="canonical" href="https://twitter.com/CraigHRowland/status/1523266585133457408" />
    <title>Agentless Linux Security - Craig Rowland (@CraigHRowland): &quot;I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="theme-color" content="#1F1F1F" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="Agentless Linux Security - Craig Rowland (@CraigHRowland)" />
    <meta property="og:description" content="I looked at the sources for #BPFdoor and ran @SandflySecurity against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing." />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/media%2FFSOy4IOacAAQNtR.png%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFSOy4IOacAAQNtR.png" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFSOy4IOacAAQNtR.png" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" alt="Logo" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/CraigHRowland/status/1523266585133457408"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <div class="icon-container"><a class="icon-cog" title="Preferences" href="/settings?referer=%2FCraigHRowland%2Fstatus%2F1523266585133457408%23m"></a></div>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div id="m" class="main-tweet"><div class="timeline-item thread thread-line"><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266585133457408#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">I looked at the sources for <a href="/search?q=%23BPFdoor">#BPFdoor</a> and ran <a href="/SandflySecurity" title="Sandfly Security">@SandflySecurity</a> against the binary. We could find this since at least 1.x of our product. Here is a run down of what it is doing.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSOy4IOacAAQNtR.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSOy4IOacAAQNtR.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="quote quote-big">
                  <a class="quote-link" href="/GossiTheDog/status/1522964028284411907#m"></a>
                  <div class="tweet-name-row">
                    <div class="fullname-and-username">
                      <img class="avatar round mini" src="/pic/profile_images%2F1384772727123349505%2FcRr36VVW_mini.jpg" />
                      <a class="fullname" href="/GossiTheDog" title="Kevin Beaumont">Kevin Beaumont<div class="icon-container"><span class="icon-ok verified-icon" title="Verified account"></span></div></a>
                      <a class="username" href="/GossiTheDog" title="@GossiTheDog">@GossiTheDog</a>
                    </div>
                    <span class="tweet-date"><a href="/GossiTheDog/status/1522964028284411907#m" title="May 7, 2022 · 3:38 PM UTC">21h</a></span>
                  </div>
                  <div class="quote-text" dir="auto">BPFDoor mega thread.

I've written about BPFDoor, a Unix implant discovered by PWC Threat Intelligence, which is being used as part of global surveillance for years.
<a href="https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896">doublepulsar.com/bpfdoor-an-…</a></div>
                  <a class="show-thread" href="/GossiTheDog/status/1522964028284411907#m">Show this thread</a>
                </div>
                <p class="tweet-published">May 8, 2022 · 11:40 AM UTC</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 5</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 9</div></span>
                </div>
              </div></div></div>
          <div class="after-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266591991148544#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266591991148544#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto"><a href="/search?q=%23BPFdoor">#BPFdoor</a> uses eBPF to sniff traffic. It can bypass firewall rules to see packets. When it starts it writes to /var/run/haldrund.pid which is obfuscated as hex in the code. It also masquerades its name using a number of pre-defined command line values below:</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSOy-DPaMAIEKuj.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSOy-DPaMAIEKuj.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266597682827264#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266597682827264#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">After <a href="/search?q=%23bpfdoor">#bpfdoor</a> goes resident it deletes itself from disk. The working directory is /dev/shm (Linux ramdisk). A system reboot ensures the area is wiped. You can see also where it masks the cmdline and command portions in /proc. A ps command shows the bogus name.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSOzUltagAEdrva.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSOzUltagAEdrva.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266603621568513#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266603621568513#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto"><a href="/search?q=%23BPFdoor">#BPFdoor</a> intiates anti-forensics by removing the binary afterwards and this shows up as a deleted binary associated with a running process which is always bad news.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSOz3VQaUAEN4ej.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSOz3VQaUAEN4ej.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266609623691264#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266609623691264#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">The /proc/&lt;PID&gt;/stack area of the <a href="/search?q=%23BPFdoor">#BPFdoor</a> process shows some suspiciously named functions as the sniffer loop is waiting for commands.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSO0GekagAAG1Ux.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSO0GekagAAG1Ux.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266615357231105#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266615357231105#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Also, a look under /proc/&lt;PID&gt;/fd shows a file descriptor that is actively grabbing packet traffic. We generated an alert on on this and you can see the packet file descriptor in the raw forensic data. stdin,stdout,stderr are redirected.</div>
                <div class="attachments"><div class="gallery-row" style="">
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FFSO03uJaAAAQt3S.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSO03uJaAAAQt3S.jpg%3Fname%3Dsmall" alt="" /></a></div>
                    <div class="attachment image"><a class="still-image" href="/pic/media%2FFSO05ceakAAWjFP.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSO05ceakAAWjFP.png%3Fname%3Dsmall" alt="" /></a></div>
                  </div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266618159415296#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266618159415296#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">The process environment is wiped out so there are no traces to review. This is unusual for most processes on Linux and is worth investigating in and of itself.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266623318392833#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266623318392833#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">A closer look at the /proc/&lt;PID&gt;/cmdline and /proc/&lt;PID&gt;/comm forensic traces in the suspicious process below. Again, there are a number of seemingly benign name it will pick at random on startup.</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFSO1kQuaIAA8xvc.png%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFSO1kQuaIAA8xvc.png%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266625893388288#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266625893388288#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Looking at the code, it has backdoor capability with encryption (RC4). It also mods iptables rules to allow access when needed. The shell also has some anti-forensics measures in place.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266628078637056#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266628078637056#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">The code is looking for a magic packet with a user-defined password on TCP, UDP or ICMP. Once seen then various things can happen such as shell, etc.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/CraigHRowland/status/1523266630196678656#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523266630196678656#m" title="May 8, 2022 · 11:40 AM UTC">59m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">I'll have a longer write-up this week after seeing this backdoor. The use of eBPF is not common and the backdoor is minimalist to avoid detection but get the job done. But, it can be found pretty easily if you know how to look. Thank you <a href="/GossiTheDog" title="Kevin Beaumont">@GossiTheDog</a> for the thread.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span></div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/CraigHRowland/status/1523276929498959874#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/CraigHRowland"><img class="avatar round" src="/pic/profile_images%2F1050655612646830080%2Fal1tArWP_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/CraigHRowland" title="Agentless Linux Security - Craig Rowland">Agentless Linux Security - Craig Rowland</a>
                        <a class="username" href="/CraigHRowland" title="@CraigHRowland">@CraigHRowland</a>
                      </div>
                      <span class="tweet-date"><a href="/CraigHRowland/status/1523276929498959874#m" title="May 8, 2022 · 12:21 PM UTC">18m</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Check out our blog for many more Linux forensics articles. I'll post there about <a href="/search?q=%23BPFDoor">#BPFDoor</a> when I look at it closer:

<a href="https://www.sandflysecurity.com/blog/">sandflysecurity.com/blog/</a></div>
                <div class="card"><a class="card-container" href="https://www.sandflysecurity.com/blog/">
                    <div class="card-image-container"><div class="card-image"><img src="/pic/card_img%2F1521501514925481985%2F-RhxaCAn%3Fformat%3Djpg%26name%3D420x420_2" alt="" /></div></div>
                    <div class="card-content-container"><div class="card-content">
                        <h2 class="card-title">Blog</h2>
                        <p class="card-description">Linux security and forensic articles. Learn about using command line tools to find hackers on Linux and receive product updates on Sandfly.</p>
                        <span class="card-destination">sandflysecurity.com</span>
                      </div></div>
                  </a></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div id="r" class="replies"><div class="show-more"><a href="?cursor=LBkWgMDRnaK53aMqJQISAAA%3D#r">Load more</a></div></div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>